Introduction to AAA Server
RADIUS Overview
Chapter 12
RADIUS Overview
The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and
implemented to manage access to network services. It defines a standard for information
exchange between a Network Access Server (NAS) and an authentication, authorization, and
accounting (AAA) server for performing authentication, authorization, and accounting
operations. A RADIUS AAA server can manage user profiles for authentication (verifying user
name and password), configuration information that specifies the type of service to deliver,
and policies to enforce that may restrict user access.
RADIUS Topology
The RADIUS protocol follows client-server architecture. The client sends user information to
the RADIUS AAA server (in an Access-Request message) and after receiving a reply from the
server acts according to the returned information. The RADIUS AAA server receives user
requests for access from the client, attempts to authenticate the user, and returns the
configuration information and polices to the client. The RADIUS AAA server may be
configured to authenticate an Access-Request locally or to act as a proxy client and forward a
request to another AAA server. After forwarding a request, it handles the message exchanges
between the NAS and the remote server. A single server can be configured to handle some
requests locally and to forward proxy requests to remote servers.
In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle user requests. Each
user organization represents a logical grouping of users (defined as a realm). Each user
organization dials in to one of the ISP’s servers through an assigned NAS, some of which are
shared by the same groups or realm. To provide appropriate service to a customer, the server
accesses user and policy information from a repository, which may be integrated with the
server, may be an external application, or a database that interfaces with the server. For the
HP-UX AAA RADIUS and policy server the repository information may be stored in flat text
files or in an external database, such as an Oracle® database or LDAP directory server.